You can install a Load balancer and configure it through a third party software. The following example guides you on how to install and configure nginx as a load balancer on Ubuntu 16.04.
NOTE:Advanced Authentication supports DNS round-robin and third party VIP, but only with Sticky sessions. In this case, DNS Discovery mechanism is excluded from the workflow. Advanced Authentication clients are pointed to a Load balancer that manages all traffic.
Target configuration:
Hostname |
IP address |
Role |
Operation System |
|
---|---|---|---|---|
Domain controller |
win-dc.utopia.locl |
192.168.1.56 |
AD DS, DNS |
Windows Server 2012 R2 |
Advanced Authentication 5.5 |
aaf-clu-gm.utopia.locl |
192.168.1.70 |
Global Master |
Advanced Authentication 5.5 |
Advanced Authentication 5.5 |
aaf-clu-gs.utopia.locl |
192.168.1.71 |
Slave |
Advanced Authentication 5.5 |
Load balancer |
llb.utopia.locl |
192.168.1.138 |
Nginx load balancer |
Ubuntu 16.04 |
Client |
windows7v5.utopia.locl |
192.168.1.61 |
AA Client |
Windows 7 x64 |
Before you start the configuration, ensure that the following requirements are met:
Repository is configured in Advanced Authentication appliance.
Both Advanced Authentication servers are installed and configured as Master and Slave.
Appropriate entries are added to DNS.
Ubuntu 16.04 is installed.
Update repository and install nginx:
apt-get update
apt-get install nginx
Start nginx and make sure that web server is working:
sudo service nginx restart
Open your browser and go to web server http://192.168.1.138.
The following load balancing mechanisms/methods are supported in nginx:
round-robin - requests to the application servers that are distributed in a round-robin fashion
least-connected - next request assigned to the server with the least number of active connections
ip-hash - a hash-function that is used to determine what server should be selected for the next request (based on the client’s IP address)
This article describes the ip-hash configuration because the REST queries that are balancing require sticky-session enabled and ip-hash is a similar mechanism. To configure nginx, perform the following steps:
Backup original configuration file: sudo cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf_original.
Copy the certificate from any Advanced Authentication server in a cluster from the directory /etc/nginx/cert.pem to the same directory on load balancer.
Open the nginx.conf file and replace with following:
user www-data; worker_processes auto; pid /run/nginx.pid; events { worker_connections 768; # multi_accept on; } http { ## # Basic Settings ## sendfile on; #tcp_nopush on; #tcp_nodelay on; keepalive_timeout 65; types_hash_max_size 2048; # server_tokens off; # server_names_hash_bucket_size 64; # server_name_in_redirect off; #include /etc/nginx/mime.types; #default_type application/octet-stream; ## # SSL Settings ## ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE ssl_prefer_server_ciphers on; ssl_certificate /etc/nginx/cert.pem; ssl_certificate_key /etc/nginx/cert.pem; ## # Logging Settings ## access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log; ## # Gzip Settings ## gzip on; gzip_disable "msie6"; gzip_vary on; gzip_proxied any; gzip_comp_level 6; gzip_buffers 16 8k; gzip_http_version 1.1; gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; ## # Virtual Host Configs ## include /etc/nginx/conf.d/*.conf; include /etc/nginx/sites-enabled/*; resolver 192.168.1.56 valid=300s ipv6=off; # ip address of DNS resolver_timeout 10s; upstream aaf-clu { ip_hash; # Type of load balancing mechanism server aaf-clu-gm.utopia.locl:443 #192.168.1.70:443; server aaf-clu-gs.utopia.locl:443 #192.168.1.71:443; } server { listen 443 ssl; # Rule for REST location ~ ^/api/v1 { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $host; proxy_pass https://aaf-clu$uri?$args; } location ~ ^/admin { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $host; proxy_pass https://aaf-clu$uri?$args; } location ~ ^/static { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $host; proxy_pass https://aaf-clu$uri?$args; } location ~ ^/helpdesk { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $host; proxy_pass https://aaf-clu$uri?$args; } location ~ ^/enroll { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $host; proxy_pass https://aaf-clu$uri?$args; } } }
This configuration file allows to balance REST, administration, and Self-Service portal requests.
To point the Advanced Authentication client to a Load balancer, you need to make some changes after installing the client on a workstation:
Install Windows Client. To install Windows Client, see the section Installing Windows Client
in the Advanced Authentication - Windows Client guide.
Open the configuration file: C:\ProgramData\NetIQ\Windows Client\config.properties.
Set the parameter discovery.host = <IP_address/hostname_loadbalancer>.
This configuration points Advanced Authentication Client to a Load balancer that manages the traffic between the Advanced Authentication server and Advanced Authentication Client (REST API).